Active Directory is a directory service and database that allows organizations to centrally manage users, groups, computers, and other network resources. It provides authentication, authorization, and accounting services to clients on the network. Active Directory uses domain controllers to manage objects in the directory and authenticate users. It stores data in an Extensible Storage Engine database and uses sites, domains, organizational units, and other structures to logically organize objects in the directory.

1. Active Directory for Windows
Server
Shekhar Parmar.

2. Index
 Active Directory Introduction
 Purpose of Active Directory
 Components of Active Directory
 Active Directory hierarchical structure.
 Active Directory Database.
 Flexible Single Master Operations (FSMO)Role
 DNS server.

3.  Active Directory
Introduction

4. Logical Topology
Logical topology divided in two parts
1)Work Group model or Peer to Peer to model
2)Domain model or Client Server model

5. Work Group Model
 All computer all are in peer, no computer has control
over the another computer.
 Each computer has set of user accounts. To use any
computer in workgroup, You must have an account on
that computer

6. Domain model
 In model, one or more computers are server. Network
administrators use servers to control the security and
permission for all computers in the domain. This make
is easy to make changes because the changes are
automatically made for all computers

7. What is Active Directory ?
 Active Directory Domain Services (AD DS) stores
directory data and manages communication between
users and domains, including user logon processes,
authentication, and directory searches. An Active
Directory domain controller is a server that is running
AD DS.
 It 's database and directory service , which maintains the
relations ship between resources and enable them to
work together. It provide centralized repository for user
account information and directory authentication ,
authorization and assignment of right and permissions.

8. Purpose of active directory
 Provide the user logon and authentication services using
Kerberos Protocol
 To centralize and Decentralize the resource
management
 To centrally organize and manage ,User Accounts,
Computers, Group, Network Resources.
 Enable authorise user to easily access the Network
resource

9.  Component of Active
Directory
Components of Active
Directory

10. Domain
 Domain is logical grouping of user, computers, and
group object for the purpose of management and
security.
 Creating initial domain controller in domain it creates
the domain
 we cannot have domain without at least one domain
controller.
 Each domain is identify by a DNS Domain name

11. Domain Controller
 A domain controller is server that is configured to store
a copy of AD DS directory database(NTDS.DIT) and
copy of the SYSVOL folder.
 All domain controllers expect RODCs store a read/write
copy of both NTDS.DIT and the SYSVOL folder.
 Domain controllers host server other ADDS services
,including the Kerberos authentication Services and the
Key distributed Center
 Kerberos authentication Services is use by User and the
computer accounts for logon authentication

12. Kerberos authentication and
authorization Process
 Authentication is the process of presenting credentials
(username/password) to a service and having that
service validate you.
 When a user enters his username/password in a
Kerberos environment, that information is sent to a
server which is running Authentication Service.

13. The Authentication Service passes that information to
a database called the Key Distribution Centre (KDC).

14. If the username/password checks out, the Authentication
Service sends a Ticket Granting Ticket (TGT) to the
client, allowing the client to complete the logon process.
The TGT contains a time stamp, the public key and a
certificate.
Authorization is the process of granting access to resources
on a server that is in the network

15. Client & Member Server.
Client
 A Computer joined in domain with client operating
system
 Client Operating Systems like
Windows 8,Windows 7 ,Windows XP Professional

16. Member Server
 Server joined in the domain with Server Operating
system
 Servers Operating system like
 Windows Server 2016, Windows Server 2012,
Windows Server 2008

17. User management
 Local user: A user account created in local database of a
computer.
 Local users are generally used in Workgroup model.
 Local user can login only on the respective computer.
 Domain User: A user account crated in active directory
database.
 Domain users are used in Domain model.
 Domain users can logon to any computer in the domain

18. Organizational Unit
 It’s a logical container which contain active directory
objects(User, Group, OU & Other Object)
 Its also called as sub SUBTREE
 It is used for Minimizing administrative task.
 It is used for organizing and managing the active
directory objects
 It is used for delegating the control one or more users

19. An organizational unit can have multiple OUs within it,
but all attributes within the containing OU must be
unique.
Active Directory organizational units cannot contain
objects from other domains.

20. Delegation of control
 Granting a control set of permission to a less privileged
user to delegate an administrative task
 Process of decentralizing the management of the
organization units
 Assigning management of an organizational unit to
another user or group
 Eases administration by distributing routine
administrative tasks to another user or group

21. Group
Groups are used to collect user accounts, computer
accounts, and other groups into manageable units.
Working with groups instead of with individual users
helps simplify network maintenance and administration.
There are two types of groups in Active Directory
 Distribution groups: Used to create email distribution
lists.
 Security groups: Used to assign permissions to shared
resources.

22. Additional Domain controller
 If we already have one domain controller in domain,
you can add additional domain controllers to the
domain to Improve the availability and reliability of
network services.
 Adding additional domain controllers can help provide
fault tolerance, balance the load of existing domain
controllers, and provide additional infrastructure
support to sites.
 The replication types between two read/write dc’s is
multi master replication.

23. Active Directory hierarchical
structure

24. Tree
 An tree is a collection of domains within a Microsoft
Active Directory network.
 If more than one domain exists, you can combine the
multiple domain into hierarchical tree structures
 The first domain created is the root domain of the first
tree
 Other domain in the same domain tree are child
domains

25. Tree

26. Forest
 An Active Directory forest is the largest logical
container within Active Directory which holds all
Active Directory domains together.
 Each forest shares a single database, a single global
address list and a security boundary. By default, a user
or administrator in one forest cannot access another
forest.
 Multiple domain trees within a single forest do not form
a contiguous name space.

27. Forest
 A forest will have a single root domain, called the forest
root domain.
 Forest root domain is the first domain created in the
forest.
 There are two forest wide predefined groups reside in
forest root domain.
 Enterprise admin.
 Schema admin.

28. An Active Directory forest is the highest level of
organization within Active Directory.

29. Trust Relationships
 Secure communication path that allow objects in
domain to be authenticated and accepted in other
domain.
 Some trusts are automatically created.
 Parent-child domain trust each other.
 Tree root domain trust forest root domain.
 Other trusts are manually created
 Forest-to-Forest transitive trust relationships can be
created in Windows Server 2003, 2008, Windows
Server 2012 forest only.

30. Trust Relationship
 Trust categories
1.Transitive Trust
2.Nontransitive Trust
Trust Directions
1.One-way Incoming trust.
2.One-way Outgoing trust.
Trust Types
Five Types of trusts: Default, Shortcut, External, Forest
and Realm.

31. Transitive Trust
If domain A have Transitive Trust on Domain B and
Domain B have transitive on domain C then domain A
automatic trust on domain C

32. Non Transitive Trust
If domain A have Non transitive Trust on Domain B and
Domain B have Transitive Trust on domain C then
domain A does not have automatic trust on domain C

33. Default Trust

34. Shortcut trust
Shortcut trust is usually created when users want to speed
up or enhance authentication performance between two
domains in different trees but within the same forest.

35. External Trust

36. Forest Trust

37. Realm Trust

38. Functional Level
 In Active Directory Domain Services (AD DS), domain
controllers can run different versions of
Windows Server operating systems. The functional
level of a domain or forest depends on which versions
of Windows Server operating systems are running on
the domain controllers in the domain or forest. The
functional level of a domain or forest controls which
advanced features are available in the domain or forest.

39. Domain functional level

40. Forest Functional Level

41. Active Directory Data base

42. ADDS Data Base
 Active directory database uses the “Extensible Storage
Engine (ESE)” which is an indexed and sequential
access method (ISAM) database.
 It is uses record-oriented database architecture which
provides extremely fast access to records. ESE indexes
the data in the database file(NTDS). This database file
can grow up to 16 terabyte and hold over 2 billion
records.
 The default active directory database file location
is C:WindowsNTDS.

43. Active Directory Data Base
divided in Partition

44. Global Catalog
 Global Catalog maintains indexes about
objects. It contains full information of the objects
in its own domain and partial information of the
objects in other domains. Universal Group
membership information will be stored in global
catalog servers and replicate to all GC's in the
forest.
 Port number for Global Catalog is 3268

45. Physical structure of Active
Directory
 Domain controllers
 Sites

46. Site
 Site is a set of well connected IP subnets.
 Site can be generally used for locating
services(eg logon), replication, group policy.
 Sites are connected with site links.
 Site can span multiple domains.
 A domain can span multiple sites.

47. Site

48. Read only domain controller
 RODC Address some of the problem that are
commonly found in branch offices.
 These location might not have a DC, or they
might have a writable DC but no physical
security to that DC, Low Network bandwidth, or
inadequate expertise to support that DC.

49. Functionality of RODCs
 Read only ADDS Data Base.
 Uni-Directional replication.
 Credential Caching.
 Administrator role separation.

50. Read only ADDS Database
 Except for account passwords, an RODC holds all the
Active directory objects and attributes that a writable
domain controller holds.
 However changes cannot be made to the database that is
stored on the RODC. Changes must be made on a
writable domain controller and then replicate back to
the RODC.

51. Uni-directional replication
 Because no changes are written directory to the
RODC. According, Writable DCs do not have to pull
changes from the RODC. This mean that any changes
or corruption that a malicious user might make at
branch locations can not replicate from the RODC to
the rest of the forest.

52. Credential Caching
 By default Read Only Domain Controller does
not store any credentials
 You must explicitly allow any credential to be
cached on RODC

53. Administrator Role Separation
 You can delegate local Administrative
permissions for an RODC to any domain user
without granting that user rights for the domain
or other domain controllers.
 In this way the branch user can be delegated the
ability to effectively manage and perform
maintenance work on the user, such as upgrading
a driver in the branch office RODC only,
Without compromising the security of the rest of
the domain

54. Installed from media
 If you have a network that is slow, unreliable, or costly,
you might find it necessary to add another domain
controller at a remote location or branch office.
 IFM process must take place over a potentially
unreliable WAN connection. As an alternative, and to
significantly reduce the amount of traffic copied over
WAN link.
 Most of the copying is then done locally and the WAN
link is used only for security traffic and to ensure that
the new domain controller receive any changes that are
made after you create the IFM backup.

55. FSMO Role or Active
Directory Role

56. Schema master
 Schema is a set of rules which is used to define the
structure of AD
 Schema contains definitions of all objects which are
stored in AD.
Schema is further classified into:
1) Classes: It’s a template which is used to create an
object.
2) Attributes: Attributes are properties of an object.

57. Schema master
 The schema master is responsible for performing
updates to the AD DS schema. The schema master is
the only domain controller that can perform write
operations to the directory schema. Those schema
updates are replicated from the schema master to all
other domain controllers in the forest. Having only one
schema master for each forest prevents any conflicts
that would result if two or more domain controllers
attempt to concurrently update the schema.

58. Naming master Role
 The domain naming master manages the addition and
removal of all domains and directory partitions,
regardless of domain, in the forest hierarchy. The
domain controller that has the domain naming master
role must be available in order to perform the following
actions:
 Add new domains or application directory partitions to
the forest.

59. Naming master
 Remove existing domains or application directory
partitions from the forest.
 Add replicas of existing application directory partitions
to additional domain controllers.
 Add or remove cross-reference objects to or from
external directories.
 Prepare the forest for a domain rename operation.

60. RID Master
 The relative identifier (RID) operations master allocates
blocks of RIDs to each domain controller in the domain.
Whenever a domain controller creates a new security
principal, such as a user, group, or computer object, it
assigns the object a unique security identifier (SID).
 This SID consists of a domain SID, which is the same
for all security principals created in the domain, and a
RID, which uniquely identifies each security principal
created in the domain.

61. PDC Emulator
 Act as the central time sync authority within an AD
forest (this only applies to the PDC FSMO in the forest
root AD domain)
 Any password changes or account lockouts that occur
on any DC are communicated to PDC securely.
 When your login attempted is failed because of
incorrect password it will check the PDC for a new
password

62. PDC Emulator
 Editing GPOs by default occur with the PDC FSMO
 When root scalability mode is not enabled (the default),
DFS root servers get updates from the PDC FSMO.
When root scalability is enabled, DFS root servers get
updates from the closest DC instead
 The PDC FSMO is the only DC that applies the
Password policy settings and the account lockout policy
settings specified at domain level and writes the
information to the domain NC

63. Infrastructure Master
 The Infrastructure Master Domain Controller
responsible for updating an object's SID and
distinguished name in a cross-domain.
 There can be only one domain controller acting as the
infrastructure master in each domain.
 The infrastructure master (IM) role should be held by a
domain controller that is not a global catalog Server . IF
the infrastructure master runs on a Global catalog server
it will stop updating object information because it does
not contain any references to objects that it does not
hold. This is because a global catalog server holds

64. Infrastructure Master
 A partial replica of every object in the forest . As a
result, cross domain object references in that domain
will not be updated and a warning to the effect will be
logged on that DC event log.
 If all domain controllers in domain also host the global
catalog, all the domain controllers have the current data
and it is not important which domain controller holds
the infrastructure master role.

65. Active Directory Recycle Bin
 Active Directory Recycle Bin provides a way to restore
deleted Object without ADDS downtime
 From Administrative center we can restore the deleted
user

66. Recycle bin

67. Domain Naming System

68. DNS
 Provide resolution name to IP address and resolution of
IP address to Name
 Define hierarchical name space where each level of the
namespace is separated by ;

69. DNS
 DNS is like a phone book for the Internet. If you know
a person’s name but don’t know their telephone
number, you can simply look it up in a phone book.
DNS provides this same service to the Internet.
 When we visit http://dyn.com in a browser, your
computer uses DNS to retrieve the website’s IP address
of 204.13.248.115. Without DNS, you would only be
able to visit our website (or any website) by visiting its
IP address directly, such as http://204.13.248.115.

70. Authoritative & Non Authoritative
DNS server
 Authoritative DNS server will either :
- Return the requested IP address
- Return an authoritative “NO”
 Non Authoritative DNS server will either
- Cheeks its cache
- Use forwarders
- Use Root hint

71. Fully Qualify Domain Name
 Identify host’s name within DNS namespace hierarchy
 Host name +DNS domain name=FQDN
Example
 Host name:Sys1&Domain name: MS.COM
 FQDN Will be =Sys1.MS.com

72. DNS Zone
 Zone is s storage database which contains all
zone Records.
 Forward Lookup Zone
-Used for resolving host names to IP address.
-It maintains Host to IP Address Mapping
Information

73. DNS Zone
 Reverse Lookup Zone
- Use for resolving IP address to host names
- It maintains IP address to Host Mapping
information.

74. Types of Records
 SOA Records
- The first record in zone file.
 NS Records
-Identifies the DNS server for each zone.
 Host Records
-Resolves a host name to an IP address

75. Types of Records
 Alias Record
-Resolves an alias name to a host name
 Pointer Record
-Resolves an IP address to a host name.
 MX Record
-Used by the mail server
 SRV Record
-Resolves names of servers providing services

76. Zone Types
 Standard Primary
 -It is the master copy of all zone information. It is
read/write copy.
 Standard Secondary
 -It is backup of primary zone. It is read only.
 Stub Zone
 -It contains only NS SOA & possibly glue(A) Records
which are used to locate name servers.
 Active Directory Integrated
 -It stores the information of Zone in Active Directory
Database.

77. What is Forwarder
A forwarder is a Domain Name System (DNS) server on
a network that is used to forward DNS queries for
external DNS names to DNS servers outside that
network.

78. Conditional Forwarder
Conditional Forwarders forward the requests using
a domain name condition.

79. DNS cache
 A DNS cache (sometimes called a DNS resolver cache)
is a temporary database, maintained by a computer's
operating system, that contains records of all recent
visits and attempted visits to Web sites and other
Internet domains

80. THE END